|Publication number||US9058419 B2|
|Application number||US 13/461,056|
|Publication date||16 Jun 2015|
|Filing date||1 May 2012|
|Priority date||14 Mar 2012|
|Also published as||CN103309344A, CN103309344B, DE102013203358A1, US20130246866|
|Publication number||13461056, 461056, US 9058419 B2, US 9058419B2, US-B2-9058419, US9058419 B2, US9058419B2|
|Inventors||Mark H. Costin, Ming Zhao, Paul A. Bauerle, Mahesh Balike, James T. Kurnik|
|Original Assignee||GM Global Technology Operations LLC|
|Export Citation||BiBTeX, EndNote, RefMan|
|Patent Citations (29), Non-Patent Citations (3), Referenced by (1), Classifications (10), Legal Events (3)|
|External Links: USPTO, USPTO Assignment, Espacenet|
This application claims the benefit of U.S. Provisional Application No. 61/610,696, filed on Mar. 14, 2012. The disclosure of the above application is incorporated herein by reference in its entirety.
The present disclosure relates to systems and methods for verifying the integrity of a safety-critical vehicle control system.
The background description provided herein is for the purpose of generally presenting the context of the disclosure. Work of the presently named inventors, to the extent it is described in this background section, as well as aspects of the description that may not otherwise qualify as prior art at the time of filing, are neither expressly nor impliedly admitted as prior art against the present disclosure.
Control modules are implemented in a variety of systems to process data and generate control signals. Control modules are increasingly using digital processors in cars, trucks, aircrafts and other vehicles to control safety-critical functions such as braking and engine torque output. A primary processor generates control signals based on signals received from various sensors and other devices that monitor operating characteristics such as engine speed, temperature, pressure, and gear ratio. The primary processor processes signal information using an arithmetic logic unit (ALU). If a control signal becomes corrupted as a result of a defective ALU, the primary processor may command the system to take an incorrect action.
Corrupted control signals can result from other failures and/or errors associated with the primary processor and/or other components of the control module. The failures and/or errors may include random access memory (RAM) hardware failures, RAM data storage corruption, read-only memory (ROM) faults, compiler errors and/or program counter errors. Conventional systems often use a secondary processor included in the control module to detect faults in the primary processor. The secondary processor uses an ALU to perform its fault detection that is independent from the ALU used by the primary processor.
A control system according to the principles of the present disclosure includes an operation control module, a fault detection module, a remedial action module, and a reset module. The operation control module controls operation of a vehicle system. The fault detection module detects a fault in the operation control module when the operation control module fails an integrity test. The remedial action module takes a remedial action when the fault is detected. The reset module resets the operation control module when the fault is detected and the remedial action is not taken.
Further areas of applicability of the present disclosure will become apparent from the detailed description provided hereinafter. It should be understood that the detailed description and specific examples are intended for purposes of illustration only and are not intended to limit the scope of the disclosure.
The present disclosure will become more fully understood from the detailed description and the accompanying drawings, wherein:
Control systems that control vehicle systems such as an engine or vehicle brakes may be rated as automotive safety integrity level (ASIL) D systems. ASIL D control systems may include a primary processor that controls a vehicle system and a secondary processor that verifies the integrity of the primary processor. The secondary processor may send signals to the primary processor and the primary processor may send corresponding signals to the secondary processor. If the primary processor does not send corresponding signals to the secondary processor due to a fault, the secondary processor may take a remedial action such as resetting the primary processor and/or transitioning the primary processor to a safe state.
Control systems that control vehicle systems such as an electronic limited slip differential or trailer brakes may be rated as ASIL B control systems. ASIL B control systems may include a processor that controls a vehicle system and a watchdog timer that verifies the integrity of the processor by verifying that certain processes are completed within a time window. Verifying the integrity of a processor using a watchdog timer instead of a secondary processor may reduce cost. The processor may service the watchdog timer at a predetermined interval. If the processor does not service the watchdog timer at the predetermined interval due to a fault such as a hang, the watchdog timer resets the processor. The vehicle system is in a safe state when the processor is reset.
In some instances, a processor may continue to service a watchdog timer even if a fault prevents the system from transitioning to a safe state. For example, a fault may cause the processor to skip a routine that contains instructions for a remedial action, and therefore the processor may not take the remedial action. This issue may be avoided by resetting the processor as soon as a fault is identified. However, this may cause the processor to continuously reset, which may prevent reflashing the processor, retrieving fault codes from the processor, and/or debugging the processor.
A system and method according to the principles of the present disclosure may only reset a processor when both a fault is detected and a remedial action is not taken. The fault may be detected while performing an integrity test such as a program sequence watch test, a checksum test, a stack overflow test, an arithmetic logic unit test, or a configuration register test. The remedial action may include transitioning to a safe state and/or activating a service indicator. In the safe state, the processor may limit actuation of a vehicle system or disable a vehicle system. The processor may be reset by directly forcing a reset or instructing the processor to stop servicing a watchdog timer.
A system and method according to the principles of the present disclosure may verify the integrity of a processor using a watchdog timer while avoiding issues typically associated with a watchdog timer such as those discussed above. Resetting a processor when a fault is detected and a remedial action is not taken ensures that the processor transitions to a safe state when a fault prevents the processor from doing so. Allowing the processor to take a remedial action before resetting the processor prevents the processor from continuously resetting.
Referring now to
The engine control module 110, the transmission control module 112, the eLSD control module 114, or the trailer brake control module 116 may activate a service indicator 120 using, for example, the vehicle bus 118. The service indicator 120 delivers a visual message (e.g. text), an audible message, and/or a tactile message (e.g., vibration) indicating that the vehicle system 100 requires service. The service indicator 120 may be activated when a fault is detected in the vehicle system 100.
Referring now to
As illustrated in
The operation control module 202 stores, retrieves, and executes instructions to perform the basic arithmetical, logical, and input/output operations involved in controlling the trailer brakes 108. The fault detection module 204 performs a number of integrity tests to verify the integrity of the operation control module 202. The integrity tests may include a program sequence watch test, a checksum test, a stack overflow test, an arithmetic logic unit (ALU) test, and/or a configuration register test. The fault detection module 204 detects a fault when the operation control module 202 fails one of the integrity tests. Additionally, the fault detection module 204 may detect a fault when the watchdog timer system 210 continuously resets the operation control module 202. The fault detection module 204 outputs a signal indicating whether a fault is detected.
The program sequence watch test ensures that certain operations are performed in a certain order. The checksum test uses a checksum to ensure that data stored in memory is not altered. The stack overflow test determines whether the amount of memory used in a call stack is greater than expected, causing a stack overflow. The ALU test detects faults in the operation control module 202 that corrupt arithmetic and logic operations. The configuration register test evaluates input/output (I/O) configuration registers within the operation control module 202.
The remedial action module 206 takes a remedial action when the fault detection module 204 detects a fault. The remedial action may include transitioning the operation control module 202 to a safe state and/or activating the service indicator 120. In the safe state, the operation control module 202 may limit actuation of the trailer brakes 108 or disable the trailer brakes 108. Other control modules may limit or disable other vehicle systems when in the safe state. For example, the engine control module 110 may limit spark generation, throttle area, and/or fueling rate when the engine control module 110 in a safe state. The remedial action module 206 outputs a signal indicating whether the remedial action is taken.
The reset module 208 resets the operation control module 202 when the fault detection module 204 detects a processor integrity fault and the remedial action module 206 does not take a remedial action. The reset module 208 may reset the operation control module 202 when a remedial action is not taken and a predetermined period has elapsed after a processor integrity fault is detected. The reset module 208 may execute a running reset to preserve in memory actions taken before the reset. The reset module 208 may actively reset the operation control module 202 by sending a reset signal to the operation control module 202 or toggling an internal reset line. Alternatively, the reset module 208 may passively reset the operation control module 202 by instructing the operation control module 202 to stop servicing the watchdog timer system 210.
The operation control module 202 services the watchdog timer system 210 (e.g., the watchdog timer module 212 and/or the watchdog timer module 214) at a predetermined interval. If the operation control module 202 does not service the watchdog timer system 210 at the predetermined interval, the watchdog timer system 210 resets the operation control module 202 by, for example, toggling a reset line. Thus, if the reset module 208 instructs the operation control module 202 to stop servicing the watchdog timer system 210 and the predetermined interval elapses, the watchdog timer system 210 resets the operation control module 202. The watchdog timer module 212 may toggle an internal reset line and the watchdog timer module 214 may toggle an external reset line. If the watchdog timer modules 212, 214 conflict as to whether to reset the operation control module 202, the resetting module may prevail.
The operation control module 202, the fault detection module 204, the remedial action module 206, the reset module 208, and the watchdog timer system 210 may execute separate routines in parallel with one another. In turn, a fault in the operation control module 202 may not prevent the fault detection module 204, the remedial action module 206, the reset module 208, and the watchdog timer system 210 from performing their respective tasks. For example, a fault in the operation control module 202 may not prevent the fault detection module 204 from detecting a processor integrity fault or prevent the remedial action module 206 from taking a remedial action.
The operation control module 202 may execute a first routine at a first loop rate (e.g., 12.5 milliseconds) to control the trailer brakes 108. The fault detection module 204 may execute a second routine at a second loop rate (e.g., 50 milliseconds) to perform the integrity tests. The fault detection module 204 may execute the second routine in parallel with the first routine. The reset module 208 may execute a third routine at a third loop rate (e.g., 6.25 milliseconds) to determine whether to reset the operation control module 202. The reset module 208 may execute the third routine in parallel with the first routine.
Referring now to
At 306, the method determines whether a processor integrity fault is detected. The method may detect a processor integrity fault while performing one of the integrity tests. If a processor integrity fault is detected, the method continues at 308. Otherwise, the method continues at 304. At 308, the method takes a remedial action. The remedial action may include transitioning the control system to a safe state and/or activating a service indicator. In the safe state, the control system may limit actuation of the vehicle system or disable the vehicle system.
At 310, the method determines whether the remedial action is taken. The method may determine whether the remedial action is taken within a predetermined period after a processor integrity fault is detected. If the remedial action is taken, for example, within the predetermined period, the method continues at 304. Otherwise, the method continues at 312. At 312, the method resets the processor. The method may actively reset the processor. Alternatively, the method may passively reset the processor by ensuring that the processor stops servicing the watchdog timer.
The foregoing description is merely illustrative in nature and is in no way intended to limit the disclosure, its application, or uses. The broad teachings of the disclosure can be implemented in a variety of forms. Therefore, while this disclosure includes particular examples, the true scope of the disclosure should not be so limited since other modifications will become apparent upon a study of the drawings, the specification, and the following claims. For purposes of clarity, the same reference numbers will be used in the drawings to identify similar elements. As used herein, the phrase at least one of A, B, and C should be construed to mean a logical (A or B or C), using a non-exclusive logical OR. It should be understood that one or more steps within a method may be executed in different order (or concurrently) without altering the principles of the present disclosure.
As used herein, the term module may refer to, be part of, or include an Application Specific Integrated Circuit (ASIC); an electronic circuit; a combinational logic circuit; a field programmable gate array (FPGA); a processor (shared, dedicated, or group) that executes code; other suitable hardware components that provide the described functionality; or a combination of some or all of the above, such as in a system-on-chip. The term module may include memory (shared, dedicated, or group) that stores code executed by the processor.
The term code, as used above, may include software, firmware, and/or microcode, and may refer to programs, routines, functions, classes, and/or objects. The term shared, as used above, means that some or all code from multiple modules may be executed using a single (shared) processor. In addition, some or all code from multiple modules may be stored by a single (shared) memory. The term group, as used above, means that some or all code from a single module may be executed using a group of processors. In addition, some or all code from a single module may be stored using a group of memories.
The apparatuses and methods described herein may be implemented by one or more computer programs executed by one or more processors. The computer programs include processor-executable instructions that are stored on a non-transitory tangible computer readable medium. The computer programs may also include stored data. Non-limiting examples of the non-transitory tangible computer readable medium are nonvolatile memory, magnetic storage, and optical storage.
|Cited Patent||Filing date||Publication date||Applicant||Title|
|US4539642 *||20 Jul 1982||3 Sep 1985||Nippondenso Co., Ltd.||Fail-safe speed control system for motor vehicles|
|US5493270 *||28 Jun 1993||20 Feb 1996||Nippondenso Co., Ltd.||Failure monitoring system for passenger restraint unit of automotive vehicle|
|US5602736 *||20 Dec 1994||11 Feb 1997||Airbag Systems Co., Ltd||Vehicle safety system equipped with microcomputer|
|US5897596||22 Aug 1996||27 Apr 1999||Nippondenso Co., Ltd.||Electronic controller with fault diagnosing function|
|US6230094 *||4 Mar 1999||8 May 2001||Denso Corporation||Electronic control system and method having monitor program|
|US6330499 *||21 Jul 1999||11 Dec 2001||International Business Machines Corporation||System and method for vehicle diagnostics and health monitoring|
|US6625688||10 May 1999||23 Sep 2003||Delphi Technologies, Inc.||Method and circuit for analysis of the operation of a microcontroller using signature analysis of memory|
|US6892129||7 Nov 2002||10 May 2005||Denso Corporation||Vehicle electronic control system and method having fail-safe function|
|US7251551 *||4 Jun 2004||31 Jul 2007||Mitsubishi Denki Kabushiki Kaisha||On-vehicle electronic control device|
|US7671482 *||2 Feb 2007||2 Mar 2010||Gm Global Technology Operations, Inc.||Hydrogen powered vehicle refueling strategy|
|US8155824 *||3 Feb 2009||10 Apr 2012||Denso Corporation||Electronic control apparatus for vehicles, which is provided with plural microcomputers|
|US8712635 *||19 Dec 2008||29 Apr 2014||Mitsubishi Electric Corporation||In-vehicle electronic control apparatus having monitoring control circuit|
|US20020045952||12 Oct 2001||18 Apr 2002||Blemel Kenneth G.||High performance hybrid micro-computer|
|US20030060964 *||13 Sep 2002||27 Mar 2003||Yoshifumi Ozeki||Electronic control unit for vehicle having operation monitoring function and fail-safe function|
|US20030144778||7 Nov 2002||31 Jul 2003||Hidemasa Miyano||Vehicle electronic control system having fail-safe function|
|US20040123201||19 Dec 2002||24 Jun 2004||Nguyen Hang T.||On-die mechanism for high-reliability processor|
|US20050080529 *||17 May 2004||14 Apr 2005||Mitsubishi Denki Kabushiki Kaisha||Electronic control unit|
|US20070168712||18 Nov 2005||19 Jul 2007||Racunas Paul B||Method and apparatus for lockstep processing on a fixed-latency interconnect|
|US20080258253||8 Oct 2004||23 Oct 2008||Wolfgang Fey||Integrated Microprocessor System for Safety-Critical Regulations|
|US20090013217||1 Jul 2008||8 Jan 2009||Denso Corporation||Multicore abnormality monitoring device|
|US20090024775||20 Jul 2007||22 Jan 2009||Costin Mark H||Dual core architecture of a control module of an engine|
|US20090044044||18 Oct 2006||12 Feb 2009||Werner Harter||Device and method for correcting errors in a system having at least two execution units having registers|
|US20090138137 *||9 May 2008||28 May 2009||Mitsubishi Electric Corporation||In-vehicle electronic control apparatus having monitoring control circuit|
|US20090217092||26 Jul 2006||27 Aug 2009||Reinhard Weiberle||Method and Device for Controlling a Computer System Having At Least Two Execution Units and One Comparator Unit|
|US20100049909||2 Nov 2009||25 Feb 2010||Menahem Lasser||NAND Flash Memory Controller Exporting a NAND Interface|
|US20110190957 *||1 Sep 2010||4 Aug 2011||Mitsubishi Electric Corporation||Electronic control apparatus|
|US20140047299 *||18 Mar 2013||13 Feb 2014||Hitachi Automotive Systems, Ltd.||Control device for vehicle and error processing method in control device for vehicle|
|DE10255614A1||28 Nov 2002||7 Aug 2003||Denso Corp||Elektronisches Fahrzeug-Steuersystem mit betriebssicherer Funktion|
|DE102005037246A1||8 Aug 2005||15 Feb 2007||Robert Bosch Gmbh||Verfahren und Vorrichtung zur Steuerung eines Rechnersystems mit wenigstens zwei Ausführungseinheiten und einer Vergleichseinheit|
|1||Freescale, MPC564xL: Qorivva 32-bit MCU for Chassis and Safety Applications, http://www.freescale.com/webapp/sps/site/prod-summary.jsp?code=MPC564xL, 2004.|
|2||Freescale, MPC5746M: Qorivva 32-bit Multicore MCU for Powertrain Applications, http://www.freescale.com/webapp/sps/site/prod-summary.jsp?code=MPC5746M, 2004.|
|3||Fruehling, Terry L.; SAE Technical Paper Series 2000-01-1052; "Delphi Secured Microcontroller Architecture"; Mar. 6-9, 2000; 14 pages.|
|Citing Patent||Filing date||Publication date||Applicant||Title|
|US20160232070 *||9 Feb 2016||11 Aug 2016||Robert Bosch Gmbh||Method for operating a data processing unit of a driver assistance system and data processing unit|
|International Classification||G06F1/24, G06F11/36, G06F11/00|
|Cooperative Classification||B60W2050/0292, B60W2050/0083, B60W2050/041, B60W50/04, G06F1/24, G06F11/3604|
|19 Jul 2012||AS||Assignment|
Owner name: GM GLOBAL TECHNOLOGY OPERATIONS LLC, MICHIGAN
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:COSTIN, MARK H.;ZHAO, MING;BAUERLE, PAUL A.;AND OTHERS;SIGNING DATES FROM 20120410 TO 20120416;REEL/FRAME:028587/0771
|26 Jun 2013||AS||Assignment|
Owner name: WILMINGTON TRUST COMPANY, DELAWARE
Free format text: SECURITY AGREEMENT;ASSIGNOR:GM GLOBAL TECHNOLOGY OPERATIONS LLC;REEL/FRAME:030694/0500
Effective date: 20101027
|7 Nov 2014||AS||Assignment|
Owner name: GM GLOBAL TECHNOLOGY OPERATIONS LLC, MICHIGAN
Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:WILMINGTON TRUST COMPANY;REEL/FRAME:034287/0415
Effective date: 20141017